An American security researcher has published a file containing 10 million usernames and their corresponding passwords for education purposes, opening himself up to the possibility of criminal prosecution.

The researcher, Mark
Burnett, released the trove of data on Monday in an
effort to further the work of others who are similarly interested
in studying online security and user behavior.

“Frequently I get requests from students and security
researchers to get a copy of my password research data. I
typically decline to share the passwords but for quite some time
I have wanted to provide a clean set of data to share with the
world,” he wrote on his personal website.

“A carefully-selected set of data provides great insight into
user behavior and is valuable for furthering password
security,” Burnett wrote. “So I built a data set of ten
million usernames and passwords that I am releasing to the public
domain.”

Yet while Burnett boasts a decade-and-a-half of IT security experience and has
co-authored no fewer than seven books on the topic, he
acknowledges in this week’s blog post that publishing his
research, even for academic purposes, poses a potentially serious
legal risk for himself.

In singling out the court issues recently encountered by Barrett
Brown – a Texas-based writer who received a 63-month sentence in
January for sharing a web link containing similarly sensitive
data – Burnett says he also risks becoming the subject of a
federal probe by dumping his own trove of data on the web.

“The arrest and aggressive prosecution of Barrett Brown had a
marked chilling effect on both journalists and security
researchers. Suddenly even linking to data was an excuse to get
raided by the FBI and potentially face serious charges. Even more
concerning is that Brown linked to data that was already public
and others had already linked to,” Burnett wrote.

Indeed, US District Court Judge Sam Lindsay sentenced Brown, 31,
last month, after the writer pleaded guilty to charges of
obstruction, making internet threats, and accessory after the
fact to the unauthorized access of a protected computer,
receiving in turn a punishment of only a few years after having
previously faced upwards of a century behind bars.

Although the bulk of that sentence stems from the plea Brown
entered concerning internet threats – he admitted in court that
he broke the law by intimidating and harassing a federal agent by
way of YouTube and Twitter (a felony) – Judge Lindsay said his
decision was reached after considering that Brown had shared a
publicly available website address that contained a trove of
sensitive details, including credit card information pilfered
from private intelligence firm Stratfor by hacktivist group
Anonymous. Prosecutors had previously charged Brown with
trafficking in stolen authentication features for copying a link
containing the information from one IRC chat room and pasting it
into another, but a high-profile campaign endorsed by the likes
of the Electronic Frontier Foundation and the Committee to
Protect Journalists led to those counts, and others, being
dropped before a plea agreement was reached. Nevertheless, Judge
Lindsay said last month that the conduct was relevant to the
matters at hand before the court, and thus factored it in when
deciding on a sentence.

This week, Burnett wrote that he compiled a list of around 10
million usernames and passwords – absent the domain information
that would reveal where the accounts could be used – that “is or
was at one time generally available to anyone and discoverable
via search engines in a plaintext” and posted them on websites
where compromised data is commonly hosted.

Although Burnett sees no issue with what he’s doing, he wrote
that the Brown sentencing may have set a rather unfortunate
precedent for security researchers.

“Most researchers are afraid to publish usernames and
passwords together because combined they become an authentication
feature,” he wrote. “If simply linking to already
released authentication features in a private IRC channel was
considered trafficking, surely the FBI would consider releasing
the actual data to the public a crime.”

“In the case of me releasing usernames and passwords, the
intent here is certainly not to defraud, facilitate unauthorized
access to a computer system, steal the identity of others, to aid
any crime or to harm any individual or entity. The sole intent is
to further research with the goal of making authentication more
secure and therefore protect from fraud and unauthorized
access.”

Attorneys for Brown argued similarly when they said their client
had no intention of furthering accessibility to stolen credit
card data by sharing a link, but was more concerned with
analyzing inner-office emails stolen from the intelligence firm’s
computer network. Later, that correspondence was published by
anti-secrecy group WikiLeaks and subsequently formed the basis
for dozens of news stories.

“Ultimately, to the best of my knowledge these passwords are
no longer be valid and I have taken extraordinary measures to
make this data ineffective in targeting particular users or
organizations. This data is extremely valuable for academic and
research purposes and for furthering authentication security and
this is why I have released it to the public domain,”
Burnett wrote.

“Having said all that, I think this is completely absurd that
I have to write an entire article justifying the release of this
data out of fear of prosecution or legal harassment. I had wanted
to write an article about the data itself but I will have to do
that later because I had to write this lame thing trying to
convince the FBI not to raid me,” he continued.